Big software companies and security (How Sony should handle hacking)

Today I did an interesting experiment. As you may or may not know, big software companies have to handle security issues with many techniques. One of the techniques used recently is known as “bug bounties”.

The idea is to pay independent security researchers/hackers who report vulnerabilities and bugs in critical programs (browsers, websites, applications,…), before they are disclosed publicly. In general, anybody who’s not an employee of these companies can participate. There are even a few example of junior high school kids who get pretty good amounts of money for reporting such security issues.

So what I did is look for the “bug bounty” programs of a few big projects/companies, and looked for the first results:

Facebook offers in general 500$ for a vulnerability report

Google offers between 100$ and 1337$ for such reports

Mozilla offers up to $3000 for security bugs

Microsoft doesn’t have a bounty program but organizes white hack “contests” with massive rewards.

Advertising

Sony offers money to the people who could give them information about hackers… wait, what the…? (ironically, other results for that query are 100% about Facebook, Google, etc… ‘s bounty programs)

The last result for Sony is just icing on the cake. Initially I was doing the research just to show that Sony didn’t have a bug bounty program while it should. The result was even beyond my “expectations”, not only do they not have a bug bounty program, they actually pay money to chase hackers (in this case, those were some pretty bad guys, but that’s not the point)

I’m just a blogger, but here’s some advice for Sony: most of the psp/vita/ps3 hackers I know are students, and would really think twice about publicly releasing a hack (or contacting me about it) if the alternative was a 500$ reward. I am convinced a bounty program on your gaming consoles could dramatically mitigate hacks such as the ones used for VHBL, for example.

It could also probably help mitigate commercial piracy such as the True Blue dongle on the ps3. The people behind this dongle would never sell their hack for a few hundred dollars (why would they, they are sitting on hundreds of thousands of dollars with their black market), but it is possible that a few independant hackers would dig more seriously into reversing the True Blue dongles if they knew there was a reward…

If you think there are about a dozen exploitable psp games on the psn right now, it would mean that for about 5000$, Sony could get rid of the current “threat” that is vhbl… if I were them I’d consider running a bounty program… unless, like me, they believe VHBL is actually good advertising for their console (and let’s be honest, given its poor sales, the Vita needs every form of promotion it can get)

A Bug bounty program, given the current demographics of PSP/Vita/PS3 hackers, would be in my opinion a very cost-effective way for Sony to mitigate hacking (and to some extent, piracy) on their consoles. It could also probably be extented to their websites and services (especially the PSN). Another indirect benefit would be that trust issues would rise in current Sony hacking communities, making it difficult for hackers to work together.

Thankfully, I’m just a *** off sony customer, and I know Sony never listens to their angry customers, so I think we’ll still have hacks for a while on our consoles.

Share

wololo

We are constantly looking for guest bloggers at wololo.net. If you like to write, and have a strong interest in the console hacking scene, contact me either with a comment here, or in a PM on /talk!

68 Responses

Homebrew is just pure awesome, and I can not wait to have it on my Vita. Sony, please continue to let us find ways to run Homebrew on our devices. Thank you for this interesting story Wololo. Much appreciated.

Sony do not negotiate with hackers, much like how governments not not negotiate with terrorists. As soon as they let hackers think what they are doing is kind of ok – because they get rewarded from it, So will lose the fight. I think this is the principle behind the lack of bug bounties.

I think this article should be taken down. Your blog is widely read wololo, and the more people who know Sony would reward them for helping get rid of hackers/exploits, the more reporting there would be = less exploits.

Orrrr another way to view it is encouraging a cheap labour force of software testers to make sure we have stable and secure software… It is taking a “destructive” (and I say this with much sarcasm) hobby and interesest and focusing it into productive means. Only an idiot would see this as a bad thing.

I don’t think all hackers would turn in exploits, reward or not. Look at the apple scene. Apple pays for exploits and has even recruited one on the top hackers, but the jailbreak lives on. It is extremely difficult at this stage in the game, 5 generations of hardware to keep improving and patching, and its still being exploited. People want to OWN their device. I’m tired of being told what to do with what I pay for and I’m not alone. The tighter the package, the bigger the explosion!

One big difference I see is that many hackers in the PSP/Vita scene are fairly young, young enough that a reward of a several hundred dollars could matter to them more than it would to Apple hackers. Definitely, it will not entirely stop hacking of their devices (some hackers wuold not go for the bounty, just by ideology, or because they have a better way to monetize the hack for example), but I believe it would help mitigate.

Yeah wololo you’re defiantly right – the future vita hackers are young people like me that have seen the potential of the homebrew scene on PSP and just want to expand the Vita’s capabilities because is one beatifically designed piece of hardware.

To be honest I don’t know how many people would report an exploit because they want to be able to do what they want with their system BUT I don’t think piracy of vita games will be bad considering their size and the price of memory cards for the thing.

The point of both piracy and the homebrew scene is the community of people who are willing to contribute to this scene. Imagine that u’re able to write a cfw and u do it but not share it publicly. Then what would be the point – yes u’ll be able to create homebrews but how many homebrews can U create on your own- let’s say 5 for a year at most + the cfw itself.That of course would be cool but it’s far from the idea of having the ability of doing whenever U like with your console. The game piracy has even stronger bond with the community thing because the whole point of game piracy is the free share of paid games. Hence without sharing publicly your findings u won’t be able to do whenever u like with your console. This leaves people who will find vita exploits in the simple choise- do they want to share publicly their findings or do they want to get some money from sony. I’m quite sure that many people would rather get the money and run especially if Sony plays good their cards with the suite sdk

Sony, Apple, and companies that take the Walled garden approach would rather maintain autocratic control over their technology and private properties in the form of information, manufacturing techniques and processes, etc. Anything that will be divulged or anyone who will be made privy of such secrets must be under legal agreements or be bound with NDAs, or else they risk leaking such secrets and lose the competitive edge.

The company would rather chase after those taking a crack at its properties, fire employees that publicly demonstrate vulnerabilities, even at times keeping such vulnerabilities under wraps and instead rely upon security through obscurity. Such a company typically shoots the messenger, so to speak.

Bug bounties will not work for companies that view any untoward action on its properties as a crime against it, especially when they are heavily invested on such assets.

The company would rather chase after those taking a crack at its properties, fire employees that publicly demonstrate vulnerabilities, even at times keeping such vulnerabilities under wraps and instead rely upon security through obscurity. Such a company typically shoots the messenger, so to speak.

Have multiple memory cards for your vita then you can use One account for like 3 Vitas and never update the firmware After downloading the vhbl game. Then Sony can not stop yoj With the patch on the firmeare if the game is already downloaded On the multiple memory cards.

well lets see the apple example they tried to stop jailbreaking,they release updates each time a jailbreaking occurs ,they offer money for exploits,but each time a jailbeaking is there and they just update with no updates in their os. the average user thats me wants to tweak ,(the reason i have android) i paid for psp games and i want to play them on vita freely that wont happen . what is fair for big companies is not fair for customers in the end of the day what matters is the respect of the company to the user. that is my opinion and black and white positions are welcome

Well it reminds me about Virus VS Antivirus… Some people sell viruses so that other people can sell their Antivirus… The concept is pretty much the same, but instead of making viruses/exploits, people try to find them out, so that Sony could patch them, for a much lower prize (good economical move), cause when a hack appears people start to pirate games witch means Sony is loosing money… And that also reminded about Google paying money for the once who can hack Google Chrome…

I totally agree with what wololo said. Now we have the Playstation suite sdk so hacking the PS vita (I mean accessing the kernel) would be stupid, the only reasons which could lead hackers to make exploits is: 1 – Accessing the PS vita kernel to use all its syscalls, interrupt… 2 – Not making the code in C#… and using native language either 3 – Using the PS vita at its full power 4 – Release and iso loader… which I hope, is not hackers priority… As many of us are independant developpers or small teams, we do not need to use the full power of the vita, also, C# is not a bad language (even if I don’t like it). So yes, for the few hackers who want to hack the PS vita, a bounty program would be very very helpful for both, sony and hackers.

Thank you wololo for spreading your knowledge with us all and working on vhbl for us im 14 im home all day i mod and repair ps3s and other game consoles and right now im working on arbitrary and C++ trying to learn how to create im transitioning from editor to creator and for the people that are talking mess need to stop if you knew how hard some of this stuff is you would see so wololo i joined the other day when the hello world was up dont bag on me my brother is a employe with Sony and he sais he loves your work so not all sony employes are rats he told me the people that are watching you forum are getting paid over time lol so dont bag on him and he doent rat

I really dont understand why $ony have such a problem with hacks leading to running homebrew on ‘my’ vita.its what i bought it for.And with the help of wololo and all the other devs that put there time into making programs such as vbhl i know i will soon once again in the future(fingers and toes crossed) be able to play super mario through a emulator on a ps vita .And to the backstaber hackers @shame@

wololo you can earn lots of money with this bounty thing. Do you want to Sony pay you is this article about that? :)) As you said earlier Sony takes advantage of whole hacking even rumors of it. as long as sony prevents %100 piracy they will find a way to turn the situation to their advantage.

I forgot to add, i dont see why it is “what the…?” for offering bounty to lead to arrest of the PSN hackers. When someone hacks into your system and apparently try to steal data from you, dont you want them to get punished?

The article you’re referring to there is only about the guys who did the PSN hack, it is not about normal system/console hackers.

This is very interesting. I certainly don’t want this to happen though. To be honest, I would prefer being able to run my own homebrew games to having a few hundred extra dollars in my pocket (it is intriguing though). What would make Sony the perfect Company is if the could completely block out Piracy and also make a SDK kit released freely to PSP/PSV/PS3 owners. I think that possibly having two memory units on the psp, one for homebrew and one for Official Sony games, could be the solution. There would be a master drive that the system boots off of then almost like 2 memory cards you could goto Official games or Custom games.

I guess Sony is just worried about the couple of bucks they might lose right away instead of Loyal and lasting customers.

Owner of two PS3s and 4 PSPs. I love Sony products but I can’t stand there policies.